Bug#732355: asterisk: Two Asterisk security issues

Tzafrir Cohen tzafrir.cohen at xorcom.com
Fri Dec 20 13:12:05 UTC 2013 

On Tue, Dec 17, 2013 at 06:17:09PM +0100, Moritz Muehlenhoff wrote:
> On Tue, Dec 17, 2013 at 05:55:14PM +0200, Tzafrir Cohen wrote:
> > On Tue, Dec 17, 2013 at 07:33:53AM +0100, Moritz Muehlenhoff wrote:
> > > Package: asterisk
> > > Severity: grave
> > > Tags: security
> > > 
> > > Hi,
> > > please see
> > > http://downloads.asterisk.org/pub/security/AST-2013-006.html and
> > > http://downloads.asterisk.org/pub/security/AST-2013-007.html
> > 
> > Looking at them. At first glance: both of them also affect 1.6.2 from
> > old-stable. AST-2013-007 introduces a new configuration item and we have
> > to see what the sane default for it should be.
> 
> I think we should follow upstream and keep live_dangerously activated
> We can add a note to the advisory what setting must be tweaked.

Attached are debdiffs for oldstable and stable uploads. I couldn't find
CVE entries.

I added an extra bug fix to help me patch the issue, for a bug that is
marginally a remote crash bug:
https://issues.asterisk.org/jira/browse/ASTERISK-20658
(Asterisk Realtime means getting some of Asterisk's configuration from a
database)


More on AST-2013-007:

(maybe shorten it a bit?)

Asterisk employs in its dialplan and varois other places a syntax for
varable expantion: ${VAR} expands the value of ${VAR}. Similarly there
are also some functions that use a similar syntax: ${RANDOM(5)} or 
${CUT(20-30-40,-,2)}. Some are more potent, however such as SHELL
(run a shell command and return the output).

The variables were primarily meant for the Asterisk dialplan, but may be
accessed through several other interfaces. For instance, the AMI
(Asterisk Manager Interface) provides a GetVar command. This will also
expand functions.

With the fix for AST-2013-007, a new knob was added in order to allow
the system adminitrator to disable expantion of "dangerous" functions
(such as SHELL()) from any interface which is not the dialplan. In
Stable and Oldstable this knob is disabled by default. To enable it add
the following line to the section '[options]' in
/etc/asterisk/asterisk.conf (and restart asterisk)

  live_dangerously = no

-- 
               Tzafrir Cohen
icq#16849755              jabber:tzafrir.cohen at xorcom.com
+972-50-7952406           mailto:tzafrir.cohen at xorcom.com
http://www.xorcom.com

More information about the Pkg-voip-maintainers mailing list